29e870507f65136b06f3609c86c396ffa7f0d1b4d5c9576140cf285c42bfdad6

Analysis

max time kernel
120s
max time network
118s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
11-01-2025 21:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

29e870507f65136b06f3609c86c396ffa7f0d1b4d5c9576140cf285c42bfdad6.exe
Size

165KB
MD5

de3e45ddc99ced0bf53edca442147648
SHA1

545426c5bfa80d4156c86217528612632686b3d9
SHA256

29e870507f65136b06f3609c86c396ffa7f0d1b4d5c9576140cf285c42bfdad6
SHA512

cebbe25862e947ccf8f89cd69a9e0f36348ac36efb0aee8b59dcd360245dcf0368c024190fad7699c002963dac5289953e61ba3aab9219c934ac9182f9164262
SSDEEP

1536:V7Zf/FAxTWoJJZENTBHfiP3zHLe4pWHlPEXZzjUq3th5f6utM5vLNinVmWvMu0bD:fny1tEULVWHIjN3tj6qnv0b2UrXkbvLu

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (2792) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2780-0-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/files/0x000a000000012250-2.dat	upx
behavioral1/files/0x0002000000010621-6.dat	upx
behavioral1/memory/2780-70-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\win32_CopyNoDrop32x32.gif.tmp	29e870507f65136b06f3609c86c396ffa7f0d1b4d5c9576140cf285c42bfdad6.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winXPOlive.png.tmp	29e870507f65136b06f3609c86c396ffa7f0d1b4d5c9576140cf285c42bfdad6.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\1047x576_91n92.png.tmp	29e870507f65136b06f3609c86c396ffa7f0d1b4d5c9576140cf285c42bfdad6.exe
File created	C:\Program Files\Java\jdk1.7.0_80\db\lib\derbyLocale_de_DE.jar.tmp	29e870507f65136b06f3609c86c396ffa7f0d1b4d5c9576140cf285c42bfdad6.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.text.nl_zh_4.4.0.v20140623020002.jar.tmp	29e870507f65136b06f3609c86c396ffa7f0d1b4d5c9576140cf285c42bfdad6.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\shadowonlyframe_videoinset.png.tmp	29e870507f65136b06f3609c86c396ffa7f0d1b4d5c9576140cf285c42bfdad6.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\15x15dot.png.tmp	29e870507f65136b06f3609c86c396ffa7f0d1b4d5c9576140cf285c42bfdad6.exe
File created	C:\Program Files\Java\jre7\bin\net.dll.tmp	29e870507f65136b06f3609c86c396ffa7f0d1b4d5c9576140cf285c42bfdad6.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Grand_Turk.tmp	29e870507f65136b06f3609c86c396ffa7f0d1b4d5c9576140cf285c42bfdad6.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Jamaica.tmp	29e870507f65136b06f3609c86c396ffa7f0d1b4d5c9576140cf285c42bfdad6.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.css.core.nl_ja_4.4.0.v20140623020002.jar.tmp	29e870507f65136b06f3609c86c396ffa7f0d1b4d5c9576140cf285c42bfdad6.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler-attach.xml.tmp	29e870507f65136b06f3609c86c396ffa7f0d1b4d5c9576140cf285c42bfdad6.exe
File created	C:\Program Files\Java\jre7\lib\zi\EET.tmp	29e870507f65136b06f3609c86c396ffa7f0d1b4d5c9576140cf285c42bfdad6.exe
File created	C:\Program Files\7-Zip\7zG.exe.tmp	29e870507f65136b06f3609c86c396ffa7f0d1b4d5c9576140cf285c42bfdad6.exe
File created	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE.tmp	29e870507f65136b06f3609c86c396ffa7f0d1b4d5c9576140cf285c42bfdad6.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.apache.felix.gogo.shell_0.10.0.v201212101605.jar.tmp	29e870507f65136b06f3609c86c396ffa7f0d1b4d5c9576140cf285c42bfdad6.exe
File created	C:\Program Files\Java\jre7\lib\zi\Asia\Dushanbe.tmp	29e870507f65136b06f3609c86c396ffa7f0d1b4d5c9576140cf285c42bfdad6.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\fa.pak.tmp	29e870507f65136b06f3609c86c396ffa7f0d1b4d5c9576140cf285c42bfdad6.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\tnameserv.exe.tmp	29e870507f65136b06f3609c86c396ffa7f0d1b4d5c9576140cf285c42bfdad6.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Manila.tmp	29e870507f65136b06f3609c86c396ffa7f0d1b4d5c9576140cf285c42bfdad6.exe
File created	C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\fr-FR\MSTTSLoc.dll.mui.tmp	29e870507f65136b06f3609c86c396ffa7f0d1b4d5c9576140cf285c42bfdad6.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\vignettemask25.png.tmp	29e870507f65136b06f3609c86c396ffa7f0d1b4d5c9576140cf285c42bfdad6.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\javafx-doclet.jar.tmp	29e870507f65136b06f3609c86c396ffa7f0d1b4d5c9576140cf285c42bfdad6.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.rcp_4.3.100.v20141007-2301.jar.tmp	29e870507f65136b06f3609c86c396ffa7f0d1b4d5c9576140cf285c42bfdad6.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-applemenu_ja.jar.tmp	29e870507f65136b06f3609c86c396ffa7f0d1b4d5c9576140cf285c42bfdad6.exe
File created	C:\Program Files\Common Files\System\Ole DB\oledb32r.dll.tmp	29e870507f65136b06f3609c86c396ffa7f0d1b4d5c9576140cf285c42bfdad6.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\specialoccasion.png.tmp	29e870507f65136b06f3609c86c396ffa7f0d1b4d5c9576140cf285c42bfdad6.exe
File created	C:\Program Files\Google\Chrome\Application\master_preferences.tmp	29e870507f65136b06f3609c86c396ffa7f0d1b4d5c9576140cf285c42bfdad6.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Sitka.tmp	29e870507f65136b06f3609c86c396ffa7f0d1b4d5c9576140cf285c42bfdad6.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.bindings_0.10.200.v20140424-2042.jar.tmp	29e870507f65136b06f3609c86c396ffa7f0d1b4d5c9576140cf285c42bfdad6.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.updatechecker.nl_ja_4.4.0.v20140623020002.jar.tmp	29e870507f65136b06f3609c86c396ffa7f0d1b4d5c9576140cf285c42bfdad6.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\InputPersonalization.exe.mui.tmp	29e870507f65136b06f3609c86c396ffa7f0d1b4d5c9576140cf285c42bfdad6.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\NavigationLeft_ButtonGraphic.png.tmp	29e870507f65136b06f3609c86c396ffa7f0d1b4d5c9576140cf285c42bfdad6.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.simpleconfigurator_1.1.0.v20131217-1203.jar.tmp	29e870507f65136b06f3609c86c396ffa7f0d1b4d5c9576140cf285c42bfdad6.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Recife.tmp	29e870507f65136b06f3609c86c396ffa7f0d1b4d5c9576140cf285c42bfdad6.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\rarrow.gif.tmp	29e870507f65136b06f3609c86c396ffa7f0d1b4d5c9576140cf285c42bfdad6.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler-api.xml.tmp	29e870507f65136b06f3609c86c396ffa7f0d1b4d5c9576140cf285c42bfdad6.exe
File created	C:\Program Files\Microsoft Games\Chess\desktop.ini.tmp	29e870507f65136b06f3609c86c396ffa7f0d1b4d5c9576140cf285c42bfdad6.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\org-openide-filesystems.xml.tmp	29e870507f65136b06f3609c86c396ffa7f0d1b4d5c9576140cf285c42bfdad6.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-windows.xml.tmp	29e870507f65136b06f3609c86c396ffa7f0d1b4d5c9576140cf285c42bfdad6.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\NavigationRight_ButtonGraphic.png.tmp	29e870507f65136b06f3609c86c396ffa7f0d1b4d5c9576140cf285c42bfdad6.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Australia\Hobart.tmp	29e870507f65136b06f3609c86c396ffa7f0d1b4d5c9576140cf285c42bfdad6.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.flightrecorder.configuration_5.5.0.165303.jar.tmp	29e870507f65136b06f3609c86c396ffa7f0d1b4d5c9576140cf285c42bfdad6.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-dialogs.xml.tmp	29e870507f65136b06f3609c86c396ffa7f0d1b4d5c9576140cf285c42bfdad6.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\locale\org-openide-util_ja.jar.tmp	29e870507f65136b06f3609c86c396ffa7f0d1b4d5c9576140cf285c42bfdad6.exe
File created	C:\Program Files\Java\jre7\bin\sunmscapi.dll.tmp	29e870507f65136b06f3609c86c396ffa7f0d1b4d5c9576140cf285c42bfdad6.exe
File created	C:\Program Files\7-Zip\Lang\el.txt.tmp	29e870507f65136b06f3609c86c396ffa7f0d1b4d5c9576140cf285c42bfdad6.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT-5.tmp	29e870507f65136b06f3609c86c396ffa7f0d1b4d5c9576140cf285c42bfdad6.exe
File created	C:\Program Files\Microsoft Games\SpiderSolitaire\SpiderSolitaire.exe.tmp	29e870507f65136b06f3609c86c396ffa7f0d1b4d5c9576140cf285c42bfdad6.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\NavigationLeft_ButtonGraphic.png.tmp	29e870507f65136b06f3609c86c396ffa7f0d1b4d5c9576140cf285c42bfdad6.exe
File created	C:\Program Files\Internet Explorer\jsprofilerui.dll.tmp	29e870507f65136b06f3609c86c396ffa7f0d1b4d5c9576140cf285c42bfdad6.exe
File created	C:\Program Files\Microsoft Games\Solitaire\SolitaireMCE.lnk.tmp	29e870507f65136b06f3609c86c396ffa7f0d1b4d5c9576140cf285c42bfdad6.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-swing-plaf.xml.tmp	29e870507f65136b06f3609c86c396ffa7f0d1b4d5c9576140cf285c42bfdad6.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-coredump.jar.tmp	29e870507f65136b06f3609c86c396ffa7f0d1b4d5c9576140cf285c42bfdad6.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-modules-appui.xml.tmp	29e870507f65136b06f3609c86c396ffa7f0d1b4d5c9576140cf285c42bfdad6.exe
File created	C:\Program Files\LockEnable.rmi.tmp	29e870507f65136b06f3609c86c396ffa7f0d1b4d5c9576140cf285c42bfdad6.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\jfr\profile.jfc.tmp	29e870507f65136b06f3609c86c396ffa7f0d1b4d5c9576140cf285c42bfdad6.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\topnav.gif.tmp	29e870507f65136b06f3609c86c396ffa7f0d1b4d5c9576140cf285c42bfdad6.exe
File created	C:\Program Files\Java\jre7\lib\zi\CST6CDT.tmp	29e870507f65136b06f3609c86c396ffa7f0d1b4d5c9576140cf285c42bfdad6.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Porto_Velho.tmp	29e870507f65136b06f3609c86c396ffa7f0d1b4d5c9576140cf285c42bfdad6.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Godthab.tmp	29e870507f65136b06f3609c86c396ffa7f0d1b4d5c9576140cf285c42bfdad6.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\et.pak.tmp	29e870507f65136b06f3609c86c396ffa7f0d1b4d5c9576140cf285c42bfdad6.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-javahelp_zh_CN.jar.tmp	29e870507f65136b06f3609c86c396ffa7f0d1b4d5c9576140cf285c42bfdad6.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ipsnor.xml.tmp	29e870507f65136b06f3609c86c396ffa7f0d1b4d5c9576140cf285c42bfdad6.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	29e870507f65136b06f3609c86c396ffa7f0d1b4d5c9576140cf285c42bfdad6.exe

C:\Users\Admin\AppData\Local\Temp\29e870507f65136b06f3609c86c396ffa7f0d1b4d5c9576140cf285c42bfdad6.exe
"C:\Users\Admin\AppData\Local\Temp\29e870507f65136b06f3609c86c396ffa7f0d1b4d5c9576140cf285c42bfdad6.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2780

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-312935884-697965778-3955649944-1000\desktop.ini.tmp

Filesize
166KB

MD5
23e1ff2c690d1558852aa534ae2a1b49

SHA1
76525b80a08749f9791237e9566b82be3113daef

SHA256
ad1c6064923fc38b5ce9b386503e38698892c009462d06fc68fbfb66e9bd98cc

SHA512
772ee450d510142e3add86ac42c8f5af5b32a27ccb081be4fffbe258a9f72100d9201bf1156598c6c4a1601e158842c0c8b96b151f1e79463428f25dbc1caad3

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

Filesize
174KB

MD5
6950aa6805d3cdcc7c86d2e685c4f184

SHA1
51f0cdd3a68eb5cc5755a17eeadcf776b22d0dc9

SHA256
20f89cd564a7f81ab472f252f2c307c39bb8ec1a6397494814d19e049b93c671

SHA512
bdaa5cd45bb2a22c0653f17766ff6a2dc2a9d0368d4a3ca52a1a8c0658e865109a67cb4c20a2a992bcf03fd1e233aac45d79a121445d2666243deaad9db23595

Download Submit
memory/2780-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2780-70-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download